Upload
spring-io
View
1.007
Download
1
Tags:
Embed Size (px)
Citation preview
© 2014 SpringOne 2GX. All rights reserved. Do not distribute without permission.
Groovy for System Administrators
By Dan Woods
Who Am I?
3
Groovy for System Administrators
4
System administration is a multi-faceted problem
domain, not dissimilar from software development.
- Me
Groovy for System Administrators
5
At a high level, System Administration is about…
Provisioning
Deployment
Management
Groovy for System Administrators
6
Provisioning…
• “Building” the server
• Creating the installation media
• Installing the OS on the server
Groovy for System Administrators
7
Deployment…
• Getting our app on the server
• Making sure it runs there
• Managing environment dependencies
Groovy for System Administrators
8
Management…
• Maintaining user accounts/access
• Managing resource authorization
• Designing security protocols
Groovy for System Administrators
9
What about…
• Docker?
• Chef?
• Puppet?
• Ansible?
• Packer?
• Salt?
• CFEngine?
• Synctool?
• Rex?
• Rundeck?
• STAF?
• Server CM of the week?
Groovy for System Administrators
10
A Disjointed Process
• CM setup just hopes that you’ve
done everything right to start with
• The CM agent requires different
requisite config than just OS
installation
• May leave your server in an
unknown state if the process
didn’t succeed for some reason
Pre-provisioned server
Agent-based post-install
configuration
OS installation
Server provisioning and configuration
?
Groovy for System Administrators
11
We need to rethink the way that we build and work
with server environments.
- Me
Groovy for System Administrators
12
Environment Considerations
• Disaster Recovery
• Auditing
• Forensics
Groovy for System Administrators
13
We need to be able to rapidly recover and reproduce
an environment from configuration and archives
alone.
- Me
Groovy for System Administrators
14
Immutable Infrastructure
• Every new version of software gets a new server
• Servers are ephemeral entities in the infrastructure
• Pragmatic for adopting a software-defined network
Groovy for System Administrators
15
Building Servers with Gradle
• Programmatic solution to supporting immutable infrastructure
• Servers are version controlled and archived
• "Builds" (ie. servers) can be archived for recovery and
reconstitution
• Continuous Integration, Continuous Delivery, Continuous
Deployment
Groovy for System Administrators
16
Gradle Provisioning Plugin
https://github.com/danveloper/provisioning-gradle-plugin
Groovy for System Administrators
17
Gradle Provisioning Plugin
• Provides a DSL to Gradle to represent a server's
configuration
• Support for Continuous Integration and Continuous
Deployment
• Continuous Delivery can be achieved through your CI
system
Groovy for System Administrators
18
Provisioning and Deployment through CI
Web App Build Job
Provisioning &
Deployment Job Smoke Tests
Production Deploy
Build
Groovy for System Administrators
19
Authentication Hacking with Groovy
Groovy for System Administrators
20
Pluggable Authentication Module
• Account Details
• Authentication
• Password Changes
• Session Interaction
Groovy for System Administrators
21
Common PAM Modules
• LDAP (pam_ldap)
• Active Directory
• Radius
• … etc, etc, etc.
Groovy for System Administrators
22
Why not let the software infrastructure manage the
server’s authentication strategy?
- Me
Groovy for System Administrators
23
Why not Spring Security through a Grails application?
- Me
Groovy for System Administrators
24
PAM Module: pam_exec.so
• Allows an external system script to provide for any layer of
the PAM stack
Groovy for System Administrators
25
PAM Account & Authentication with Grails
Add to /etc/pam.d/login
Create /etc/security/onauth script and mark it executable:
auth sufficient pam_exec.so debug expose_authtok /etc/security/onauth
account sufficient pam_exec.so /etc/security/onaccount
#!/bin/sh
pass=`cat`;
result=$(curl -s -d "user=$PAM_USER&pass=$pass" http://192.168.0.106:8080/auth)
if [ "$result" != "success" ]; then
exit 1;
else
/usr/sbin/useradd $PAM_USER -m -k /etc/skel
exit 0;
fi
Groovy for System Administrators
26
Kernel Hacking with Groovy
Groovy for System Administrators
27
Kernel Space IPC with Userland Groovy
Kernel Memory
Kernel Processes
Userland Memory
Userland Processes
procfs
netlink
mmap
udp
Groovy for System Administrators
28
Groovy as a Rules Engine for `mkdir`
MKDIR
syscall
table
mkdir_code
filesystem
mkdir()
__NR_mkdir
Groovy for System Administrators
29
Groovy as a Rules Engine for `mkdir`
MKDIR
syscall
table
original
mkdir_code
filesystem
mkdir()
intercepted
mkdir_code
Groovy for System Administrators
30
Other Considerations for Kernel Hacking
• Intelligent Packet Inspection (a la IDS)
• Network Manipulation (via netlink interface)
• Packet tagging and external tracking
• User and application oriented metrics gathering
Groovy for System Administrators
31
Questions?